Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

// // //

An Answer to APP Scams You Can Bank On

Financial institutions' usual fraud-detection methods can't detect most authorized push payment (APP) scams, putting customers and banks at risk.

A coalition of organizations recently penned an open letter urging the UK government to include scams in its new Online Safety Bill.

Related Content:

3 Classes of Account Fraud That Can Cost Your Company Big Time

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

From the letter: "Online platforms play a pivotal role in enabling criminals to reach and defraud Internet users through the hosting, promotion, and targeting of fake and fraudulent content on their sites, including adverts that they make significant profits from."

The coalition's heart is absolutely in the right place. Consumers deserve better protection, and anyone who distributes, proliferates, or worse, profits from scam advertisements or content should indeed be held accountable.

But the unfortunate reality is that scam ads, emails, text messages, and phone calls continue to penetrate even the best-designed defenses.

When this happens — and it happens a lot — the communication, purportedly coming from a bank or government official, the police, or even a tax authority, drives an emotional response from the recipient.

Motivated by this emotion, as well as a sense of urgency and an inherent trust in the authority of the other party, duped consumers are spurred to act — often logging in to their own financial accounts to execute a transfer that "remedies the crisis." Banks call this authorized push payment (APP) fraud since the authorized user is the one making the transfer. For the layperson, it can simply be characterized as account transfer fraud.

In the United Kingdom alone in 2020, £479 million in losses reported by customers were attributed by banks to APP fraud, according to UK Finance.

The Challenge for Banks
The amount of losses is not a surprise. Just think about it: A bank's security stack must be able to decipher within milliseconds whether it's you or someone else knocking on the door to your online account.

But in the case of an APP scam, money is being transferred by the actual bank customer, who has been tricked into making a financial transaction, often transferring funds to accounts set up by scammers for this specific purpose in faraway places. In an APP scam, all of the bank's traditional modes of fraud detection — a trusted device, geolocation, IP address, and network — fall short.

What's worse, all the crucial elements of the setup occur outside the bank's purview — in places both online and offline that they can't track. They are completely blind to the scheme.

It's an incredibly confounding challenge for the banks (or anyone, frankly) as they try to stem losses and protect their customers.

Fining content distributors for taking in advertising dollars from scammers is a good place to start. But to protect vulnerable consumers, the banks also need a way to recognize that a scam is occurring, even though their anti-fraud systems are accurately detecting the legitimate customer operating within the account. The banks need a last line of defense at the spot where APP fraud occurs and traditional methods of security fail.

One such detection method that is rapidly being deployed to defeat these scams is behavioral biometrics. The technology got its wings confirming that the person behind a screen is who they claim to be — by continuously tracking swipes, taps, keystrokes, mouse movements, and other behavioral characteristics throughout an online session, and comparing them with preexisting customer profiles — all without interfering with the user's journey around the bank's website.

But beyond providing this kind of real-time, continuous authentication throughout a session, the latest advances in behavioral biometrics have enabled banks to recognize when a legitimate user is behaving as if under the influence of a scam, generally by deviating from their existing norms while navigating their websites.

A Challenge to Regulators
Given the effectiveness of such newly emerging technologies, regulators should also consider something more comprehensive than what the coalition proposes. For example, in addition to fining the content distributors, regulators could reward banks that adopt proven, innovative solutions, rather than relying on limited or outmoded security methods that have largely been compromised.

One way this could work is to require banks to disclose their APP fraud losses, with governments providing tax credits or other financial incentives where loss rates meet a predefined standard. The revenue lost to these incentives could be offset by fines generated from leaky content creators.

The Answer for Boards
Thanks to financial and logistical support from malevolent nation-states, today's fraudsters are becoming ever more resourceful and behaving more like criminal enterprises. Nefarious networks are rapidly replacing the standalone hacker, creating an arms race of sorts between cybercriminals and the banks whose defenses they seek to exploit.

This escalating threat has put cybersecurity front and center on corporate board agendas. With top-level responsibility now a fact of corporate life, it is hard to understand why any bank board would fail to adopt innovative technologies to achieve a secure and seamless online experience.

Amelia Ahlgren is EVP, Strategy and Operations, at BioCatch, where she is responsible for corporate strategy, development, and the BioCatch Client Innovation Board, a collective of forward-thinking banks seeking to leverage the unique attributes of behavioral data to solve ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35942
PUBLISHED: 2022-08-12
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data ...
CVE-2022-35949
PUBLISHED: 2022-08-12
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js con...
CVE-2022-35953
PUBLISHED: 2022-08-12
BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patche...
CVE-2022-35956
PUBLISHED: 2022-08-12
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgra...
CVE-2022-35943
PUBLISHED: 2022-08-12
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter ...